Comments

On Tuesday 2012-09-04 02:14, Maciej Żenczykowski wrote:
>+<----->if (cs->target->alias == NULL)^M>+<-----><------>strcpy(cs->target->t->u.user.name, cs->jumpto);^M>+<----->else^M>+<-----><------>strcpy(cs->target->t->u.user.name, cs->target->alias);^M>>I'd have probably written if (cs->target->alias) copy(alias) else copy(jumpto)>>doesn't this all really belong in the CT files now?>ie. libxt_CT.c not libxt_NOTRACK.c
I think so too.
Furthermore, I have refined Pablo's patch.
0. vcurrent was not updated, now done.
1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0
(function "compatible_revision"), now addressed.
2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0.
3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by
providing a symlink.
Not solved:
4. Since NOTRACK now always maps to CT, "-j NOTRACK"
has become unusable on sufficiently old kernels.
Should we even bother?
[ Agglomeration of two patches in git://git.inai.de/iptables master ]
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

> I think so too.> Furthermore, I have refined Pablo's patch.>> 0. vcurrent was not updated, now done.> 1. Loading libxt_NOTRACK.so would still ask the kernel for NOTRACK.0> (function "compatible_revision"), now addressed.> 2. NOTRACK.0 can now directly map to CT.1, instead of going through CT.0.> 3. Do away with libxt_NOTRACK.c, and resolve the dlopen call by> providing a symlink.
Nice.
> Not solved:> 4. Since NOTRACK now always maps to CT, "-j NOTRACK"> has become unusable on sufficiently old kernels.> Should we even bother?
Yes, we must, otherwise distros can't upgrade to latest iptables
without either patching or upgrading kernel.
It's really nice that the two aren't that tightly coupled.
Unless by old kernels you mean pre-RHEL5 kernels.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

On Mon, Sep 03, 2012 at 10:29:40PM -0700, Maciej Żenczykowski wrote:
[...]
> > Not solved:> > 4. Since NOTRACK now always maps to CT, "-j NOTRACK"> > has become unusable on sufficiently old kernels.> > Should we even bother?> > Yes, we must, otherwise distros can't upgrade to latest iptables> without either patching or upgrading kernel.
Why not? They will upgrade and they will start using the CT target
sooner than any other, which seems good to me.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

On Tuesday 2012-09-04 10:58, Pablo Neira Ayuso wrote:
>On Mon, Sep 03, 2012 at 10:29:40PM -0700, Maciej Żenczykowski wrote:>[...]>> > Not solved:>> > 4. Since NOTRACK now always maps to CT, "-j NOTRACK">> > has become unusable on sufficiently old kernels.>> > Should we even bother?>> >> Yes, we must, otherwise distros can't upgrade to latest iptables>> without either patching or upgrading kernel.>>Why not? They will upgrade and they will start using the CT target>sooner than any other, which seems good to me.>>We also need to add support for real_rev 0 of the CT target. Just to >make sure that we don't break with old kernels.
Right; but is that not what might be described as "hypocritic"?
Even after adding support for CT.0, people still need >= 2.6.34.
Where is the non-breakage for them?
(I can't say I feel /too/ bad for the RHEL folks stuck with their
ancient 2.6.32 :-P )
(And don't tell me about backports, because in general, they don't
do that for NF.)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

On Tue, Sep 04, 2012 at 05:15:17PM +0200, Jan Engelhardt wrote:
> On Tuesday 2012-09-04 10:58, Pablo Neira Ayuso wrote:> > >On Mon, Sep 03, 2012 at 10:29:40PM -0700, Maciej Żenczykowski wrote:> >[...]> >> > Not solved:> >> > 4. Since NOTRACK now always maps to CT, "-j NOTRACK"> >> > has become unusable on sufficiently old kernels.> >> > Should we even bother?> >> > >> Yes, we must, otherwise distros can't upgrade to latest iptables> >> without either patching or upgrading kernel.> >> >Why not? They will upgrade and they will start using the CT target> >sooner than any other, which seems good to me.> >> >We also need to add support for real_rev 0 of the CT target. Just to > >make sure that we don't break with old kernels. > > Right; but is that not what might be described as "hypocritic"?> Even after adding support for CT.0, people still need >= 2.6.34.> Where is the non-breakage for them?
Well yes, we have break at some point, but better if we break for
kernels before 2.6.34 than before 3.4 (CT.1 was added there) ;-).
So we're doing is just to trying to do our best to avoid the sure
breakage that will happen in upcoming 3.7 where NOTRACK will be gone.
There's only one single -stable branch that would break using recent
iptables + old kernel.
> (I can't say I feel /too/ bad for the RHEL folks stuck with their> ancient 2.6.32 :-P )> (And don't tell me about backports, because in general, they don't> do that for NF.)
I'm mostly thinking of embedded people, that usually stick to really
old kernels.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html